Académique Documents
Professionnel Documents
Culture Documents
The Global
Surveillance Industry
1/66
The production of this report was supported by a grant from Remote Control, a project of the
Network for Social Change hosted by Oxford Research Group (registered charity number: 299436)
Table of Contents
Executive Summary
Introduction
Sources & Methods
Company Data
Surveillance Technologies
Transfer Data
4
6
11
12
14
15
Surveillance Companies
Selected Case Studies
Israel
United States of America
United Kingdom
Germany
Italy
Import Case Study: Middle East & North Africa (MENA)
16
23
20
27
31
34
37
40
46
48
Regulatory Mechanisms
Trade Controls
50
52
Conclusion
56
Annex
Surveillance Technology Explainers
58
3/66
Executive Summary
This report is about electronic surveillance technologies used to identify, track, and
monitor individuals and their communications for intelligence gathering and law
enforcement purposes.
Technological developments since the Cold War, during which espionage and the
monitoring of civilians was widespread, has increased the intrusiveness and power of
surveillance. The ability to monitor the communications of entire groups and nations
on a mass scale is now a technical reality, posing new and substantially more grave
human rights issues. Recent reforms of surveillance laws undertaken across political
systems with significant checks and balances show how easily surveillance
capabilities can outstrip the ability of laws to effectively regulate them. In nondemocratic and authoritarian systems, the power gained from the use of surveillance
technologies can undermine democratic development and lead to serious human
rights abuses. Opposition activists, human rights defenders, and journalists have
been placed under intrusive government surveillance123 and individuals have had their
communications read to them during torture.4 State agencies are also utilizing
technologies used for surveillance for offensive and military purposes as well
as espionage.
This report aims to map modern electronic surveillance technologies, their trade, the
companies which manufacture and export them, and the regulation governing their
trade. By doing so, it aims to increase understanding about the surveillance industry
in order to foster accountability as well as the development of comprehensive
safeguards and effective policy.
While a number of studies and media reports since the 1970s have highlighted the
role of the private sector in developing and selling surveillance technologies and the
use of specific types, there is limited data about the surveillance industry, and
obtaining reliable data is challenging. The information that is currently available
comes from largely from investigative reporting, whistleblowers, and government
transparency reports.
Privacy International has compiled the information that is available within the
Surveillance Industry Index (SII), a database consisting of data and documentation
about surveillance technologies and companies, as well as reports about the use and
sale of specific technologies.
https://www.privacyinternational.org/node/816
2 https://bahrainwatch.org/blog/2014/08/07/uk-spyware-used-to-hack-bahrain-lawyers-activists/
3 http://apnews.excite.com/article/20150807/lt--ecuador-hacking_the_opposition-18a465a3dd.html
4 http://www.bloomberg.com/news/articles/2011-08-22/torture-in-bahrain-becomes-routine-with-help-fromnokia-siemens-networking
4/66
5/66
Introduction
In 1979, New Scientist reported on the role of the State Research Centre, the most
feared and hated building in Uganda, in mass killings during the eight year rule of
dictator Idi Amin.5 Established in 1973, the centre was reportedly used by some 1500
agents to spy on and identify individuals, and subsequently to torture, terrorise, and
kill virtually anyone who fell foul of them or Amin. At the time, a police mortician
who had kept records of the subversives that had been killed by the agents, said that
he had seen over 5000 corpses in the past two years, a number that he said was only
the tip of the iceberg. In total, Amnesty International charged the State Research
Centre together with other agencies with responsibility for the killing of between
100,000 and 500,000 people during Amins time.6
The operational capacity of the Centre and its agents and their ability to assert
political and social control was directly enabled by various electronic technologies
originating in the United Kingdom. A British company, Security Systems International
Ltd, sold the unit telephone tapping devices, radio telecommunications and radio
detection devices. Despite the subsequent criticism and risk of facilitating human
rights abuses and killings by the provision of such surveillance equipment, the
provider at the time contested that there was nothing that his company had done that
was legally wrong, and that their operations had been vetted 16 different ways
backwards and forwards by the government.7
Over 30 years later, Privacy International again reported on the role that a different
British company had played in providing Ugandan agencies with surveillance
equipment.8 The report found that the Ugandan military had in 2012 used technology
sold by a British company as the backbone of a secret operation to spy on leading
opposition members, activists, elected officials, intelligence insiders and journalists.
According to a classified memo, the police and military deployed the technology
specifically to crush...civil disobedience and cra[ck] down [on] the rising influence
of the opposition by blackmailing them. In 2015, further media reports claimed
that the Ugandan government had also procured a monitoring centre from an Israeli
company designed to monitor the entirety of the nations internet traffic.9
6
Amnesty International, The Repression Trade, Revised Briefing Paper, January 1981, available at
<https://www.amnesty.org/download/Documents/200000/pol340051981en.pdf>
7
8 https://www.privacyinternational.org/node/656
9
Africa Intelligence,Museveni commits $85.5 million to monitor the Web, N1414 06/11/2015 <http://
www.africaintelligence.com/ION/politics-power/2015/11/06/museveni-commits-dollars85.5%C2%A0million-tomonitor-the-web,108110202-ART>
6/66
Little was known about the trade in such surveillance technologies at the time of the
State Research Centre scandal. In 1979, Michael T Klare, then fellow of the Institute
for Policy Studies in Washington DC, dubbed the trade in technologies used for
social-control the International Repression Trade, an industry on which there was
little reliable data, but which appeared to be growing.10 Spurred by the belief of
Western powers that any erosion of government authority in the Third World nations
would undermine the process of modernisation, the Western powers responded by
strengthening the social-control capabilities of the prevailing regime. Faced with a
choice between the continuation of the status quo and a major social upheaval
culminating in the rise of unknown leaders, who may or may not respect the trade
and investment policies of their predecessors, most Western powers will opt for the
status quo despite the risks involved.11
The industrialising nations themselves, experiencing traumas related to economic
factors and ethnic and religious strife, were responding by expanding their militarypolice sector, and clamping down on popular movements using more aggressive and
systematic methods:
As the opposition expands and becomes more experienced in clandestine
operations, traditional police methods prove increasingly ineffective and the security
forces are obliged to use more and more sophisticated equipment to gain information
on dissident groups. New eavesdropping and surveillance technologies must be
introduced to locate opposition cells, and computers are needed to process all the
data provided by spies and informers.12
Klare noted at the time that this trade was not just confined to the Western powers
and their allies, but also being conducted between NATO countries, and between the
Socialist powers and their allied countries. Further, the trade was not just conducted
by private companies selling to international customers, but further enabled through
the establishment by Western governments of special programs to facilitate the
procurement of such equipment to security forces of allied countries, either directly
or through financial assistance. These programs came under the rubric of military and
security assistance, counter narcotics cooperation, and training and technical
assistance delivered to security forces.
Echoing Klares bleak assessment that without companies exports being restrained
the balance of power will continue to favour the forces of oppression, Amnesty
International in 1980 recognised this demand by militarised regimes in the Third
World for surveillance technologies that are developed and manufactured in the
arms exporting countries.13
10
Klare, M, The International Repression Trade, Bulletin of Atomic Scientists, November 1979.
11
Ibid p23
12
ibid p23
13
Amnesty International, The Repression Trade, Revised Briefing Paper, January 1981, available at
https://www.amnesty.org/download/Documents/200000/pol340051981en.pdf
7/66
14
Ibid p17
15
ibid p16
16 http://cd.textfiles.com/group42/CRYPTO/MISC/COMPANIE.HTM
17
Wright, S, An Appraisal of Technologies of Political ControL, 6 January 1998ht available at
<http://cryptome.org/stoa-atpc.htm#4>
18
Ibid p59
8/66
19
Amnesty International, Undermining Global Security: The European Unions Global Arms Exports, 2004,
Available at <http://www.amnesty.eu/static/documents/Text_ACT300032004.pdf>
20
Ibid p64
21
Wagner, B, Exporting Surveillance & Censorship Technologies, Hivos, January 2012, available at
<https://www.hivos.org/sites/default/files/exporting_censorship_and_surveillance_technology_by_ben_
wagner.pdf>
22 ibid
9/66
Although the focus of this report is on civilian surveillance technologies, they also
have military applications, either being directly used in warfare, for military
intelligence, or by intelligence agencies for military end-users. As described below,
many of these technologies are also used for espionage by nation state authorities or
associated groups. Equipment used to monitor demonstrations is being used to
facilitate drone strikes, the data gained from nationwide internet monitoring tools is
being used identify military targets and their relationships, technology similar to that
used by police to hack into a mobile phone to gather evidence is being used for
espionage and sabotage.
This report aims to map these modern surveillance technologies, their trade, the
companies which manufacture and export them, and their regulation. By doing so, it
aims to not only provide much-needed exposure and accountability onto an industry
which strives to operate in secrecy, but to also facilitate a better understanding of
modern State law enforcement, intelligence, and military practices. It also aims to
provide a foundation for further research for interpreting the modern defence and
security industry, international security, and modern warfare.
10/66
Analyses into the arms trade, the arms production industry, and military expenditure
are based on a range of open sources and official publications, including national
and international arms trade registers, national export licensing data, annual company
reports, and publications of contract awards. These are generally cross referenced
with media reporting and trade journals.
Reliable data related to intelligence capabilities is extremely difficult to access as it is
regarded as a matter of national security to keep information secret. It is therefore
largely classified and exempt from public reporting obligations and freedom of
information rules.
Public access to knowledge about contemporary North American and European
intelligence agencies has largely relied on investigative research from among others
Campbell (1988),23 Hager (1996),24 Bamford (1983, 2008),25 individuals submitting
material to platforms such as Cryptome and Wikileaks, whistleblowers such as
William Binney, Thomas Drake, Thomas Tamm, and most recently Edward Snowden,
as well as accounts by former government officials and declassified materials.
Access to reliable data about the surveillance industry suffers from these same
difficulties, and is made even more difficult by trade secrecy rules. Information about
company data, surveillance technology, and transfers have been compiled using the
sources and methods described below. However, there are significant difficulties and
limitations on carrying out a reliable industry analysis using the limited data currently
available. This report nonetheless aims to analyse the information predominantly in
the English language that is publicly available. It is hoped that researchers,
journalists, academics, and government officials will build on this analysis.
In addition to the sources and methods described below, Privacy International carries
out extensive primary investigative research, including regular field work in high risk
environments, to gather information about the surveillance industry. It also consults
regularly with journalists, researchers, and activists, as well as individuals within
industry and government officials.
23 http://cryptome.org/jya/echelon-dc.htm
24 http://www.nickyhager.info/category/books/
25 http://www.amazon.com/The-Puzzle-Palace-Intelligence-Organization/dp/0140067485
11/66
Company Data
The purpose of this report is not to analyse the entirety of the private sectors role in
the intelligence and law enforcement sector. It focuses only on companies which
produce or market a specific surveillance technology, described in the Surveillance
Technologies section. It does include Original Equipment Manufacturers (OEMs)
which specially design or market their products for surveillance purposes, but not
companies whose products have wider applications, for example in internet network
monitoring for performance purposes. Although prime contractors and private military
and security companies (PMSCs) play a pivotal and under-explored role in the
facilitation and promotion of surveillance capabilities, companies which only supply
staff or consultancy services are not included in this analysis.
Only companies which sell to government agencies or telecommunications
companies for government purposes are included. Companies which sell relatively
unsophisticated surveillance technologies on the internet are not included. As a
result, the companies which are included either do not widely market their
technologies publicly or purposefully conceal any details about their products. Many
have a minimal online presence or are allusive as to the exact capabilities and
purpose of their products.
Privacy International has for several years been collecting information on surveillance
companies and technologies within the Surveillance Industry Index (SII). The SII is the
worlds largest publicly accessible database on the commercial surveillance sector,
featuring 528 companies as of May 2016. The majority of the companies have been
initially identified because they have attended a military, security, or surveillance trade
fair that has also been attended by Privacy International. The remainder of the
companies were identified through online searches and references in open sources,
including media and company registration data.
12/66
26 http://www.leedsbeckett.ac.uk/staff/dr-steve-wright/
27
Privacy International (Ed.) (1995) Big Brother Incorporated - A report On the International Trade in
Surveillance Technology and Its Links To The Arms Industry. 1st ed. Vol. 1, November. Privacy
International, London.
28 www.buggedplanet.info
29 http://www.europarl.europa.eu/RegData/etudes/STUD/2015/535000/EXPO_STU(2015)535000_EN.pdf
30 www.insidersurveillance.com
13/66
Surveillance Technologies
31 http://www.duncancampbell.org/content/nsa-inside-five-eyed-vampire-squid-internet
32 https://wikileaks.org/spyfiles/
14/66
Transfer Data
Reliable data about sales and exports of surveillance technology is extremely limited.
Privacy International has developed a database of all transfers of communications
surveillance technology that it has identified in the public domain, largely in the
English language. This does not include transfers of non-communications surveillance
technology such as biometrics and video/audio surveillance. As of April 2016, there
are 607 such transfers. The database contains data from open sources and
government data.
Open sources include reporting by media, NGOs, and research institutes, which to
the best of Privacy Internationals knowledge are accurate. Some data has been
made available through technical research, for example that conducted within the
Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global
Affairs, University of Toronto, Canada.
Government data is almost exclusively made up of national export licensing data, one
of the best sources for government data, although only Finland, the United Kingdom,
and Switzerland currently release useful statistics and only since relatively recently.
Further, export licensing data means that permission has been provided to an
exporter to export technology which falls within the control language parameters
outlined within the specific export control category. It is not a definitive indication
that a transfer has taken or will take place. An extremely limited amount of
government data has been released through freedom of information requests and
public procurement records.
15/66
Surveillance Companies
33 http://cryptome.org/jya/echelon-dc.htm
34 http://www.military.com/Content/MoreContent1/?file=cw_f_ivybells
35
See, for example, reports from the Church Committee on the formation, operation, and abuses of U.S.
intelligence agencies http://www.aarclibrary.org/publib/church/reports/contents.htm
36
Brown, I & Korff, D, UK Information Commissioner Study Project: Privacy & Law Enforcement,
Foundation for Information Policy Research, February 2004, p25, available at <http://discovery.ucl.ac.
uk/3880/1/3880.pdf>
37 http://iks.sut.ru/publications/zakonnyy-perehvat-soobshcheniy-podhody-etsi-calea-i-sorm/
38
Lawful interception: the Russian approach, Andrei Soldatov and Irina Borogan, Privacy
International, 4 March 2013, available at https://www.privacyinternational.org/news/blog/lawfulinterception-the-russian-approach
16/66
Technology/Services
Example
ISPs/Telecommunications
Operator
Telecommunications Network
Equipment Vendors
Surveillance companies
Distributors
The Privacy International SII consists of surveillance companies, the more high profile
and distributors specialising in surveillance technologies, and some
telecommunications network equipment vendors.
17/66
Graphs 1, 2 and 3 show the geographical distribution of the companies in the SII,
when they were created, and the types of surveillance technology.
18/66
19/66
20/66
Companies in the SII are overwhelmingly based in large arms exporting countries.
Four of the top 5 countries in the SII where companies are headquartered also rank in
SIPRIs top five arms exporting countries over the years 2000-2015 (USA, Germany,
UK, France). 17 of the top 20 countries in which companies in the SII are headquartered
also rank within SIPRIs top twenty arms exporting countries during that period.40
Using UK government figures, eight of the top 10 countries in the SII where companies
are based also rank in the top ten defence exporters over the years 2005-2014.
Estimated Top Defence Exporters (Based on Orders/Contracts signed): 2005-14 ($BN)
Source: United Kingdom Trade & Investment Defence & Security Organisation41
Exporting Country
US$BN
Exporting Country
US$BN
USA
204
Canada
17
UK
116
Italy
16
Russia
73
Sweden
13
France
57
Spain
12
Germany
21
Republic of Korea
Israel
18
Turkey
39 https://www.gov.uk/government/publications/analysis-of-chinas-export-controls-against-internationalstandards/bridging-the-gap-analysis-of-chinas-export-controls-against-international-standards
40
Figures taken from SIPRI Arms Transfers Database, available at: <http://www.sipri.org/databases/
armstransfers>. Largest exporters (In descending order in SIPRI Trend Indicator Values (TIVs)
expressed in US$ m. at constant (1990) prices): United States, Russia, Germany (FRG), France, United
Kingdom, China, Italy, Spain, Israel, Netherlands, Ukraine, Sweden, Switzerland, Canada, South Korea,
Norway, Belarus, South Africa, Turkey, Poland
41 https://www.gov.uk/government/statistics/uk-defence-and-security-export-figures-2013
21/66
There is also a high level of overlap with large arms exporters within the EU, with 7 of
the top 10 countries in the SII where companies are headquartered in the EU also
featuring in SIPRIs top ten EU defence exporters over the years 2000-2015.42
They are also overwhelmingly based in advanced capitalist economies, with 87% of
the 528 companies based in Organisation for Economic Co-operation and
Development (OECD) states.
Of the 528 companies, 75% have their headquarters within North Atlantic Treaty
Organization (NATO) states.
4% of companies which feature in the SII also feature in the SIPRI top 100 arms
producing companies of 2014 43 including US-based Boeing (ranked 2nd) BAE
Systems, based in the United Kingdom (ranked 3rd), and Elbit Systems, based in
Israel (ranked 33rd).
42
Figures taken from SIPRI Arms Transfers Database, available at: <http://www.sipri.org/databases/
armstransfers>. Largest exporters (In descending order in SIPRI Trend Indicator Values (TIVs)
expressed in US$ m. at constant (1990) prices): Germany (FRG), France, United Kingdom, Italy, Spain,
Netherlands, Sweden, Poland, Belgium, Finland
43 http://www.sipri.org/research/armaments/production/recent-trends-in-arms-industry/The%20SIPRI%20Top%20
100%202014.pdf
22/66
Exports of military and security equipment serve a dual purpose in Israel.45 Firstly, a
commercial one, providing companies and individual brokers with revenues that are
then reinvested into the industrial base, ultimately to the benefit of Israeli military and
security agencies. Secondly, exports foster military, security, and diplomatic ties with
recipient countries. Exports of intelligence equipment can play a particularly
important role in strengthening intelligence cooperation. It is unclear how high a
priority is placed on the consideration of human rights within decision making in
Israels government when it comes to licensing exports of strategic goods. A recent
amendment to export licensing rules that would have put the consideration of human
rights records into law was rejected by the foreign ministry.46 Activists have pointed to
ongoing military exports from Israel to Azerbaijan and South Sudan as evidence that
military exports from Israel are leading to human rights violations.47
Military conscription is mandatory in Israel, meaning that the entire non-Arab
population with some exceptions receives military or intelligence training. In addition
to intelligence units of the armed forces and the domestic and foreign intelligence
agencies, the signals intelligence agency responsible for monitoring communications,
known as Unit 8200, is the largest unit within the Israeli Defense Forces.48 In 2014, 43
former Unit 8200 soldiers issued a letter to the Prime Minister saying that there was
no oversight on surveillance methods used by the unit against Palestinians, allowing
for the continued control of millions of people and in-depth inspection thats
invasive to most areas of life.49 Expertise learned during military and intelligence
service can then be applied to the private sector. The Financial Times reports that
Israeli companies account for some 10% of the global cyber security market, and that
in 2014 exports of cyber security equipment exceeded exports of military hardware
for the first time.50
There are 27 surveillance companies with headquarters in Israel in the SII. Out of the
top five countries represented in SII, Israel is home to by far the largest amount per
capita, with 0.33 companies per 100,000 people located in Israel, compared to 0.04
in the United States and 0.16 in the United Kingdom.
44
Chosen as the top 5 countries in which surveillance companies are based, but with Italy replacing
France due to their being more information available in the public domain on transfers from Italy to
inform analysis
45 http://www.globes.co.il/en/article-1000635747
46 http://972mag.com/who-will-stop-the-flow-of-israeli-arms-to-dictatorships/114080/
47 http://www.haaretz.com/israel-news/.premium-1.669852
48 http://www.haaretz.com/israel-news/.premium-1.585863
49 http://www.ynetnews.com/articles/0,7340,L-4570256,00.html
50 http://www.ft.com/cms/s/2/69f150da-25b8-11e5-bd83-71cb60e8f08c.html
23/66
51
52
Demand/Supply: Exposing the Surveillance Industry in Colombia, Privacy International, September
2015, https://www.privacyinternational.org/sites/default/files/DemandSupply_English.pdf>
53
Phone calls, e-mails of high-profile citizens monitored for past two years, Daily Express, 26
November 2008, <http://www.trinidadexpress.com/news/Listening_in___-115542299.html>
54
Africa Intelligence,Museveni commits $85.5 million to monitor the Web, N1414 06/11/2015 <http://
www.africaintelligence.com/ION/politics-power/2015/11/06/museveni-commits-dollars85.5%C2%A0million-tomonitor-the-web,108110202-ART>
55
Bamford, James, The Espionage Economy, Foreign Policy, 22 January 2016, http://foreignpolicy.
com/2016/01/22/the-espionage-econom>
56
Barbara Opall-Rome, Israeli Smartphone Targeting System Cleared for Export, Defense News, Aug. 2013
57 http://www.nonproliferation.eu/web/documents/other/siemontwezeman4f7dafb3c4a92.pdf
58 https://wikileaks.org/saudi-cables/doc43348.html
59 http://www.haaretz.com/israel-news/.premium-1.535794
60 http://www.upi.com/Business_News/Security-Industry/2013/07/19/Israeli-defense-industry-exports-underscrutiny/UPI-11581374259134/
61 http://www.globes.co.il/en/article-1000718874
62 http://www.premiumtimesng.com/investigationspecial-reports/196964-how-jonathan-govt-paid-companieslinked-to-doyin-okupe-to-hack-unfriendly-websitesinvestigation-how-jonathan-govt-paid-companieslinked-to-doyin-okupe-to-hack-unfriendly-websites-2.html
63 http://www.intelligenceonline.com/corporate-intelligence/terabytes/2015/12/02/circles--mobile-phonecompany-intercepts-3g,108114286-ART
64 http://www.forbes.com/sites/jeffbercovici/2013/10/31/vocativ-brings-the-tools-of-the-spy-world-into-thenewsroom/#4eac16857a17
65
http://boingboing.net/2006/08/24/report-uk-us-cos-sol.html
66 https://beta.companieshouse.gov.uk/company/04338196/officers
24/66
25/66
26/66
There are 122 companies with headquarters in the United States the most in the SII.
One of the most obvious explanations for this would be the relative size and
sophistication of security agencies within the US and size of the domestic US market
for surveillance technology. The Black Budget,67 a leaked breakdown of expenditure
of the 2013 US intelligence program, which does not include amounts for law
enforcement agencies such as the Drug Enforcement Administration, revealed that
the total US intelligence budget in 2013 was $52.6 billion - in constant dollars
estimated to be double that of 2001. According to a Bloomberg Industries analysis,
70% of the 2013 United States intelligence budget was contracted out to private
companies,68 while the Black Budget revealed that over 20% of 107,035 employees
across the various intelligence agencies were private contractors.69 Research and
development into high technology are subsidised through the Pentagon and
subsequently commercialised.70 Total US military expenditure including R&D - was in
2015 at $596 billion, more than double that of second-placed China, and 36% of the
global share of expenditure.71
Internet and phone monitoring technology developed by Narus, a former subsidiary
of Boeing until it was baught over by Symantec, a fortune 500 technology company,
has been used to monitor the AT&T network by the NSA.72 According to their
marketing vice president, Narus technology is a capable of recording all traffic in an
internet protocol network, including emails, attachments, internet histories, and even
VoIP calls. It was reportedly also used in Egypt prior to the 2011 uprising.73
67 https://www.washingtonpost.com/world/national-security/black-budget-summary-details-us-spy-networkssuccesses-failures-and-objectives/2013/08/29/7e57bb78-10ab-11e3-8cdd-bcdc09410972_story.html
68 http://www.bloomberg.com/news/articles/2013-06-20/booz-allen-the-worlds-most-profitable-spy-organization
69 https://www.washingtonpost.com/world/national-security/black-budget-summary-details-us-spy-networkssuccesses-failures-and-objectives/2013/08/29/7e57bb78-10ab-11e3-8cdd70
71 http://books.sipri.org/files/FS/SIPRIFS1604.pdf
72
Markoff, J and Shane, S, Documents Show Link Between AT&T and Agency in Eavesdropping Case, The New
York Times, 13 April 2006, <http://www.nytimes.com/2006/04/13/us/nationalspecial3/13nsa.html?_
r=2&n=Top/News/Business/Companies/AT&T&oref=slogin&>
73
Karr, Timothy, One U.S. Corporations Role in Egypts Brutal Crackdown, Huffington Post, 28 Janury
2011, http://www.huffingtonpost.com/timothy-karr/one-us-corporations-role-_b_815281.html>
27/66
74
List Of Contract Actions Matching Your Criteria: SS8, Federal Procurement Data System, 3 February
2016 https://www.fpds.gov/ezsearch/search.do?indexName=awardfull&templateName=1.4.4&s=FPDSNG.
COM&q=ss8>
75
List Of Contract Actions Matching Your Criteria: Packet Forensics, Federal Procurement Data System,
3 February 2016 <https://www.fpds.gov/ezsearch/search.
do?indexName=awardfull&templateName=1.4.4&s=FPDSNG.COM&q=packet+forensics>
76 http://news.bbc.co.uk/1/hi/8161190.stm
77
Citizen Lab, Some Devices Wander by Mistake: Planet Blue Coat Redux, 09 July 2013, <https://
citizenlab.org/2013/07/planet-blue-coat-redux/>
78 https://theintercept.com/2014/05/19/data-pirates-caribbean-nsa-recording-every-cell-phone-callbahamas/
79
Demand/Supply: Exposing the Surveillance Industry in Colombia, Privacy International, September
2015, https://www.privacyinternational.org/sites/default/files/DemandSupply_English.pdf>
28/66
29/66
30/66
United Kingdom
Largely spurred by the conflict in Northern Ireland, the United Kingdom was already by
1981 becoming a world-leader in the development of surveillance and counter-insurgency
technology.80 There are 104 UK companies in the SII. Currently, general UK cyber
capabilities are spurred by the sophistication of its signals intelligence agency, the
Government Communications Headquarters (GCHQ), and the fact it is home to a
number of large arms companies.81
The UK government also promotes exports abroad through the UK Trade and Investment
Defence and Security Organisation, for example proactively assisting surveillance company
Hidden Technologies to access markets abroad by providing advice and introducing the
company to potential customers.82 BAE Systems in 2011 acquired Danish internet and phone
monitoring company ETI for 137 million.83 Bloomberg reports that since 2008, BAE has spent
more than 1 billion on buying surveillance and cyber-security businesses.84 Little is known of
BAEs exports however, other than it has been reported that ETI had provided the Tunisian
government with internet monitoring technology prior to the 2011 uprising,85 and that it was
the main contractor and systems integrator for a project in Saudi Arabia.86
The UK government has since 2015 made export licensing data publicly available. 98
permanent and temporary licenses were granted in the period 1 January 31 December
2015 for phone monitoring technology, including to Israel, Bangladesh, Egypt, Saudi
Arabia, Turkmenistan, and the UAE.87 Exports of phone monitoring technology (IMSI
catchers, see technology explainer in annex 1) have been blocked on human rights ground
to a country in South Asia88 in 2009 and to Ethiopia and Pakistan in 2015. An Open
Individual Export License (OIEL) was granted for equipment, software, and technology for
Intrusion Software on 14 October 2015, giving an exporter permission to sell to 11
countries, including Egypt, Qatar, Saudi Arabia, and the United Arab Emirates. A license
worth 6.5m was issued by the UK on 7 July 2015 for internet monitoring technology to the
UAE. It is not known whether the licenses for internet monitoring and intrusion are for law
enforcement/intelligence gathering purposes.
80 https://www.amnesty.org/download/Documents/200000/pol340051981en.pdf
81 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/275566/UKTI_Cyber_Security_
Brochure.pdf
82 https://www.gov.uk/government/case-studies/technology-company-helped-to-secure-millions-of-pounds-ofexport-business
83 http://www.computing.co.uk/ctg/news/2074597/bae-systems-buys-cyber-security-firm-gbp137m
84 http://www.bloomberg.com/news/articles/2016-04-12/bae-taps-cyber-skills-honed-for-spooks-to-wincorporate-clients
85 http://www.bloomberg.com/news/articles/2011-12-12/tunisia-after-revolt-can-alter-e-mails-with-bigbrother-software
86 https://www.information.dk/indland/2016/04/dansk-firma-samarbejde-saudi-arabien-overvaagning
87
UK Department for Business Innovation and Skills, Strategic export controls: reports and
statistics, <https://www.exportcontroldb.bis.gov.uk>.
88 http://www.cecimo.eu/site/fileadmin/documents/EU%20LEGISLATION%20AND%20DOSSIERS/Dual-use_legislation/
FINAL_REPORT.pdf
31/66
32/66
33/66
Germany
89 http://www.wsj.com/articles/behind-germanys-success-story-in-manufacturing-1401473946
90 http://www.spiegel.de/international/germany/cold-war-espionage-10-000-east-germans-spied-for-thewest-a-508518.html
91
Silver, V. And Elgin, B., Torture in Bahrain becomes routine with help of Nokia Siemens, Bloomberg,
23 Aug. 2011, <http://www.bloomberg.com/news/articles/2011-08-22/torture-in-bahrain-becomes-routinewith-help-from-nokia-siemens-networking>, Silver, V., EU may probe Bahrain spy gear abuses,
Bloomberg, 24 Aug. 2011, <http://www.bloomberg.com/news/articles/2011-08-24/eu-legislators-ask-forinquiry-into-spy-gear-abuses-in-bahrain>
92
Spohr, Frederic, Big Brother Made in Germany, Handelsblatt, 27 March 2015, <https://global.
handelsblatt.com/edition/145/ressort/politics/article/big-brother-made-in-germany>
93
Rhoads, C., Irans web spying aided by Western technology, Wall Street Journal, 22 June 2009, <www.
wsj.com/news/articles/SB124562668777335653#printMode>
94
Monitoring the opposition: Siemens allegedly sold surveillance gear to Syria, Der Spiegel, 11 Apr.
2012 <http://www.spiegel.de/international/business/ard-reports-siemens-sold-surveillance-technologyto-syria-a-826860.html>
95
Privacy International, Ethiopia expands surveillance capacity with German tech via Lebanon, 23
March 2015, <https://www.privacyinternational.org/node/546>
96
Privacy International, Tipping the scales: Security & surveillance in Pakistan, July 2015, <https://
www.privacyinternational.org/sites/default/files/PAKISTAN%20REPORT%20HIGH%20RES
97
German Parliament, Drucksache 18/2067 auf die Kleine Anfrage der Abgeordneten Agnieszka Brugger, Dr.
Konstantin von Notz, Katja Keul, weiterer Abgeordneter und der Fraktion BNDNIS 90/DIE GRNEN,
18.08.2014, Date accessed 03.02.2016, <http://dipbt.bundestag.de/dip21/btd/18/023/1802374.pdf>
34/66
35/66
36/66
Italy
98
Silver, V., Italian firm said to exit Syrian monitoring project, Bloomberg, 28 Nov. 2011, <http://www.
bloomberg.com/news/2011-11-28/italian-firm-exits-syrian-monitoring-project-repubblica-says.html>
99 https://www.theguardian.com/technology/2015/jul/06/hacking-team-hacked-firm-sold-spying-tools-torepressive-regimes-documents-claim
37/66
38/66
39/66
The Arab Uprising threw attention to the security apparatus of the various countries
in the MENA region, most of which were supported by Western states and were
recipients of major defence and security exports, assistance, and intelligence
cooperation.100 The various agencies had access to a wide variety of surveillance
technologies provided overwhelmingly by economically-advanced countries in the
West. The SII currently contains data about 152 transfers to the region. Aside from
China, from which companies have reportedly provided surveillance equipment to
Iran101 and Algeria,102 South African VasTech, which had provided Ghadaffis Libya
with nationwide phone monitoring technology,103 all of the transfers have been from
member countries of the OECD. All of the transfers apart from those from China and
Israel have also been from countries that are participating members of the Wassenaar
Arrangement.
Specific surveillance technologies have reportedly been used for a range of human
rights abuses in the region. In Bahrain, school administrator and human rights activist
Abdul Ghani al Khanjar was tortured while being confronted with transcripts of his
text messages and details of his personal communications information reportedly
gained by the use of phone monitoring technology developed in Germany.104 Similarly,
intrusion software developed in the UK was reportedly used to spy on some 77
Bahraini individuals, including prominent lawyers, activists and politicians.105 Two
judicial investigations are still underway in France relating to the complicity of
companies selling internet surveillance technologies in torture and other human
rights abuses in Libya and Syria after complaints taken by human rights NGOs
FIDH and LDH.106
However, how specific technologies are used and their use in human rights violations
is difficult to quantify given the levels of secrecy. For example, it is difficult to
establish whether victims of extrajudicial killings or torture were initially identified or
located using specific surveillance technologies, despite their obvious utility in this
regard. Moreover, surveillance also has an intangible effect. Surveillance techniques
100 https://www.csis.org/analysis/changing-patterns-arms-imports-middle-east-and-north-africa
101
Stecklow, S, Special Report: Chinese firm helps Iran spy on citizens, Reuters, 22 March 2012, <http://
www.reuters.com/article/us-iran-telecoms-idUSBRE82L0B820120322>
102
Africa Intelligence, Bouteflika set to be Internet spymaster, N1176 05/11/2015, <http://www.
africaintelligence.com/MCE/power-brokers/2015/11/05/bouteflika-set-to-be-internet-spymaster,108109971-ART>
103
Sonne, P. and Coker, M., Firms aided Libyan spies, Wall Street Journal, <www.wsj.com/articles/SB100014
24053111904199404576538721260166388>
104 http://www.bloomberg.com/news/articles/2011-08-22/torture-in-bahrain-becomes-routine-with-help-fromnokia-siemens-networking
105 https://bahrainwatch.org/blog/2014/08/07/uk-spyware-used-to-hack-bahrain-lawyers-activists/
106 https://www.fidh.org/en/region/europe-central-asia/france/15116-france-opening-of-a-judicialinvestigation-targeting-qosmos-for-complicity
40/66
107 http://curia.europa.eu/juris/documents.jsf?num=C-293/12#
108 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2769645
109 https://www.amnesty.org/en/latest/research/2016/02/annual-report-201516/
110 https://freedomhouse.org/report/freedom-world/freedom-world-2015#.VyoczpMrLeQ
111 https://rsf.org/en/ranking
41/66
42/66
43/66
44/66
45/66
Surveillance technologies and techniques used for civilian law enforcement are
also used in military and counter terrorism applications by armed forces, part of
a wider trend to utilize electronic intelligence and autonomous systems over
human involvement.
Phone monitoring technology can also be used to identify an individual for a strike.
In 2014, a former US drone operator revealed that the CIA and military were using
metadata from mobile phones obtained by the NSA for drone strikes and night
raids.112 In the same way that IMSI catchers, described in Annex 1, are used by US
law enforcement agencies aboard light aircraft to identify mobile phones, for example
after the attacks in San Bernardino,113 they can also be fitted on drones to identify
phones for assassination. The former operator is quoted as saying Were not going
after people were going after their phones, in the hopes that the person on the
other end of that missile is the bad guy. Infamously, a former director of the NSA and
the CIA, General Michael Hayden, has also stated that We kill people based on
metadata.114 IMSI catchers can also be used to provide tactical intelligence to armed
forces engaged in conflict.115 For example, Israel Aerospace Industries, an arms
company and producer of drones, also produces IMIS catchers specifically for
mounting upon helicopters and aerostats.116
Hacking techniques used in intrusion products are also employed for espionage and
sabotage by nation states. The commercial intrusion surveillance technology on the
market essentially makes the process of hacking into an individuals phone or
computer easier and systematic. Intrusion works by installing malicious code, or
malware, onto a device. The malware can then carry out functions unknown to the
devices owner and without their permission. For example, it could access data, take
a screenshot, switch on the webcam, or switch on the microphone, and subsequently
transmit the data elsewhere. In this way such technologies are extremely invasive, by
passing any forms of encryption and IT security measures as well as having the ability
to modify data. The companies selling commercial intrusion products on the market
aim to minimise the burden and expertise involved in this process by offering training
and the required software and hardware solutions.
112 https://theintercept.com/2014/02/10/the-nsas-secret-role/
113 http://www.dailymail.co.uk/news/article-3356608/So-terrorists-Homeland-Security-deployed-hi-tech-spyplane-scoops-tens-thousands-phone-calls-one-time-San-Bernardino-days-massacre.html
114 http://www.nybooks.com/daily/2014/05/10/we-kill-people-based-metadata/
115 http://www.defensenews.com/story/defense/land/army/2015/05/13/israel-ground-forces-maneuvering-armorvehicles-precision-unmanned-robotics-tank/26968519/
116 http://www.iai.co.il/Sip_Storage//FILES/7/36827.pdf
46/66
In order to install the malware, targets can be send fake attachments within emails or
other communications. It is also possible to install intrusion technologies at a network
level within the Internet Service Providerss, meaning that malware can be delivered
simply by an individual going on a specific website or updating a specific programme,
such as a browser.
Malware can also be delivered using exploits. An exploit is software code which
takes advantage of vulnerabilities in code to carry out a specific function. An exploit
which takes advantages of wholly unknown vulnerabilities, that is the manufacturer of
the product does not know that a vulnerability exists, is known as a zero day exploit.
The discovery of zero day exploits can be extremely valuable companies may pay
for information about vulnerabilities in their products, for example. Hackers and
governments also buy and use zero days and other exploits for offensive purposes
and for surveillance. This has led to a white, black, and grey market for such code.
Companies such as French-based VUPEN, now known as Zerodium and based in
Washington D.C,117 sell exploits to government agencies such as the NSA.118
Surveillance companies selling intrusion also purchase exploits to then re-sell to
customers.119 Hacking Team, for example, paid one exploit developer $45,000 for a
single exploit for Adobe Flash.120 In the same way that this exploit code can be used
for surveillance, it can also be used for espionage and sabotage. Stuxnet for
example, the attack against Irans nuclear centrifuges developed by the US and
Israel, used four zero days.121 Edward Snowden claims that in 2012 the NSA
inadvertently cut off Syrias entire internet when it attempted to remotely install an
exploit within the state ISP to monitor the countrys communications.122
117 http://www.pcworld.com/article/3000637/security/winner-claimed-in-1-million-ios-9-hacking-contest.html
118 http://www.zdnet.com/article/nsa-purchased-zero-day-exploits-from-french-security-firm-vupen/
119 https://www.privacyinternational.org/node/447
120 http://arstechnica.co.uk/security/2015/07/how-a-russian-hacker-made-45000-selling-a-zero-day-flashexploit-to-hacking-team/
121 http://www.buzzfeed.com/jamesball/us-hacked-into-irans-critical-civilian-infrastructure-for-ma#.
wwrW49AkP
122 http://www.wired.com/2014/08/edward-snowden/
47/66
123 http://www.duncancampbell.org/content/nsa-inside-five-eyed-vampire-squid-internet
124 https://theintercept.com/2014/06/18/nsa-surveillance-secret-cable-partners-revealed-rampart-a/
125 http://www.duncancampbell.org/content/nsa-inside-five-eyed-vampire-squid-internet
126 http://www.theregister.co.uk/2014/06/03/revealed_beyond_top_secret_british_intelligence_middleeast_
internet_spy_base/
48/66
Phone monitoring and analysis technology are used to identify military targets. For
example, a June 2012 document leaked by Snowden describes SKYNET, an analysis
programme which looks for patterns and behaviours within the metadata of mobile
phones.127 When a mobile phone is connected to a network, it communicates with
base stations in the area and sends information to the telecommunications operator
for billing and other purposes. The NSA presentation appears to show that the NSA
receives this information from the telecommunications providers in Pakistan. Using
this metadata, SKYNET sought to identify phones which could indicate whether it
belonged to an individual of intelligence value, such as a courier. For example, the
metadata could show that the individual was repeatedly visiting locations of interest.
It is not known how the NSA accesses this intelligence, whether it is the Pakistani
intelligence agencies which initially use phone monitoring technology (Pakistan is an
approved third party) and subsequently share it, or whether the NSA obtains it
unilaterally, either in cooperation with Pakistani partners by using phone monitoring
technology or by hacking.
127 https://theintercept.com/2015/05/08/u-s-government-designated-prominent-al-jazeera-journalist-al-qaedamember-put-watch-list/
49/66
Regulatory Mechanisms
Given the strategic value of some surveillance technologies and their human rights
implications, several regulatory mechanisms by various countries aimed at governing
their trade have been initiated, and there have also been calls for industry standards.
Self regulation by the surveillance companies themselves is a crucial mechanism. In
2014, the UK government and Tech UK, an industry association, produced guidelines
for companies to assess the risk to human rights posed by exports of cyber security
technologies by conducting due diligence and post monitoring practices.128 In 2011,
the Electronic Frontier Foundation, a NGO based in the US, published a Know Your
Customer guide for surveillance companies.129
Some surveillance technologies have been incorporated into sanctions regimes. The
EU has embargoed the transfer of surveillance technologies as part of Restrictive
Measures against Syria and Iran. Following a Council Decision in December 2011,
Council Regulation (EU) 36/2012 in January 2012 imposed a ban on the sale, supply,
transfer or export, directly or indirectly of surveillance equipment, technology or
software whether or not originating in the Union, to any person, entity or body in Syria
or for use in Syria. Similar measures were imposed within Council Regulation (EU) No
264/2012 targeting Iran on a broad range of surveillance technologies, as well as
technology and software used for their development and use.130 The items included:
Deep Packet Inspection equipment
Network Interception equipment including Interception Management
Equipment (IMS) and Data Retention Link Intelligence equipment
Radio Frequency monitoring equipment
Network and Satellite jamming equipment
Remote Infection equipment
Speaker recognition/processing equipment
IMSI, MSISDN, IMEI, TMSI interception and monitoring equipment
Tactical SMS /GSM /GPS /GPRS /UMTS /CDMA /PSTN interception and
monitoring equipment
DHCP/SMTP, GTP information interception and monitoring equipment
Pattern Recognition and Pattern Profiling equipment
Remote Forensics equipment
Semantic Processing Engine equipment
WEP and WPA code breaking equipment
Interception equipment for VoIP proprietary and standard protocol
128 https://www.techuk.org/images/CGP_Docs/Assessing_Cyber_Security_Export_Risks_website_FINAL_3.pdf
129 https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer-standards-salessurveillance-equipment
130 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:087:0026:0036:EN:PDF
50/66
131 https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressivecountries/
132 https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressivecountries/
133 http://www.forbes.com/sites/thomasbrewster/2015/07/09/wikileaks-hacking-team-fsb-sales/#7819171a5557
134 http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=E-2015-010931&language=EN
135 https://cihr.eu/wp-content/uploads/2014/06/Uncontrolled-Surveillance_March-2014.pdf
136 http://www.reuters.com/article/syria-sanctions-fine-idUSL6N0DC4W120130425
51/66
Trade controls
137 http://www.wassenaar.org/wp-content/uploads/2015/06/Revised-Summary-of-Changes-to-Control-Lists.pdf
138 http://www.cecimo.eu/site/fileadmin/documents/EU%20LEGISLATION%20AND%20DOSSIERS/Dual-use_legislation/
FINAL_REPORT.pdf
139 https://cda.io/r/ConsiderationsonWassenaarArrangementProposalsforSurveillanceTechnologies.pdf
140 http://www.wassenaar.org/wp-content/uploads/2015/06/WA-Plenary-Public-Statement-2013.pdf
141 http://online.wsj.com/news/articles/SB10001424052970203764804577056230832805896.
142 http://businesshumanrights.org/en/amesys-lawsuit-re-libya-0#c18496.
52/66
The addition of items related to intrusion software were proposed by the United
Kingdom and also agreed at the WA in December 2013. The UK government has
stated that these controls were on Complex surveillance tools which enable
unauthorised access to computer systems143 introduced because of real concerns
about the use of such tools to breach human rights and the risks that they pose to
national security.144 The controls distinguished between components used to create
and control the malware itself, meaning that the malware component is not targeted,
but rather the command and control infrastructure used to generate, install and
instruct the malware.145
The 2013 additions to the Wassenaar list were added into the EU Dual Use regulation
in January 2015. The regulation, which is binding on member states, incorporates
decisions to include items for licensing restrictions taken at Wassenaar level, meaning
that member states have been controlling the 2013 items since then.
In July 2015, the US Bureau of Industry and Security (BIS) published a proposed
implementation of the 2013 additions, causing widespread concern among IT security
researchers relating specifically to the implementation of controls on intrusion
software. Concerns largely revolved around the fact that the US had interpreted the
international agreement too broadly and that the language used by BIS could be
interpreted to cover the development of malware and sharing of information about
vulnerabilities, meaning that researchers would have would have to apply for an
export license before sharing information about vulnerabilities. Since an open round
of submissions, BIS has since agreed to reinterpret the agreement and attempt to
update the control language within the Wassenaar Arrangement itself.
Israel is not a participating member of the Wassenaar Arrangement, although it does
include items added to the Wassenaar Arrangements control list within its own list of
strategically controlled goods. In January 2016, the Israeli Defense Exports Control
Agency published proposed rules aiming to make a broad range of technologies that
can be used for surveillance subject to licensing, going further than any other
participating country and far beyond what was decided at the Wassenaar
Arrangement, by explicitly stating that the export of exploits would be regulated.146
Amid significant opposition from Israeli defence contractors,147 in April it was
reported that the Israeli authorities scaled back many of the proposals.148
143 https://www.techuk.org/images/CGP_Docs/Assessing_Cyber_Security_Export_Risks_website_FINAL_3.pdf
144 http://blogs.bis.gov.uk/exportcontrol/files/2015/08/Intrusion-Software-Tools-and-Export-Control1.pdf
145 https://cda.io/r/ConsiderationsonWassenaarArrangementProposalsforSurveillanceTechnologies.pdf
146 http://www.gkh-law.com/cyber-update-february-2016/
147 http://www.defensenews.com/story/defense/policy-budget/cyber/2016/01/26/israeli-govt-reaches-outbefore-clamping-down-cyber-exports/79364842/
148 http://www.globes.co.il/en/article.aspx?did=1001119266&from=iglobes
53/66
Since 2011, and around events during the Arab Uprising, the EU has been conducting
a review of the Dual Use Regulation. In 2011, the European Commission published a
Green Paper and call for evidence, followed by a report on the public consultation
being adopted in January 2013. Regarding surveillance technology, the Commission
Communication published in 2014 recognised the risk posed by the emergence of
specific cybertools for mass surveillance, monitoring, tracking and interception,
while importantly also recognising the interlinkages between human rights, peace
and security.149 Privacy International through the Coalition Against Unlawful
Surveillance Exports (CAUSE)150 is campaigning for the regulation to mandate that
member states require companies to apply for an export license for all types of
surveillance technologies where practically possible, that they appropriately assess
human rights risks in the assessment process, and that report data about granted
and denied licenses to foster transparency and accountability.
Any changes to the Regulation will need to be agreed upon by all member states, as
well as by the European Parliament. The Parliamentary Subcommittee on Human
Rights and the Committee on International Trade convened a hearing on surveillance
technologies in January 2015. In April 2015, the Foreign Affairs Committee of the
European Parliament adopted a report by MEP Marietje Schaake on Human rights
and technologies: the impact of digital surveillance and intrusion systems on human
rights in third countries, which was approved by the parliament in Autumn 2015.151
The Commission also initiated an impact assessment aimed at informing the policymaking process by quantifying and providing objective data on the industry and the
potential cost of any regulatory changes. Ecorys, a European research and
consultancy company, in partnership with SIPRI, carried out a data collection project,
including a component specifically focused on surveillance technologies, to inform
the impact assessment. The report was submitted to the Commission in November
2015 and provides a broad and detailed analysis of the European market for
surveillance technologies and policy issues.152 The Commission also initiated an
online consultation on potential regulatory changes.153
Simultaneously, a Subcommittee, the Surveillance Technology Working Group
(STEG), was established within the DG Trade Dual Use Working Group. Consisting
of experts from the national licensing authorities in Germany, the Netherlands,
Finland, Sweden, Denmark, the UK, France and Poland, the working group is aimed
at identifying surveillance technology that poses a risk to human rights and how it
can be effectively controlled.
The European Commission is due to publish a draft proposal in late 2016.
149 http://ec.europa.eu/smart-regulation/impact/planned_ia/docs/2014_trade_014_dual_use_en.pdf
150
CAUSE is a a coalition of NGOs consisting of Access, Amnesty International, Digitale Gesellschaft,
Human Rights Watch, the International Federation for Human Rights (FIDH), the Open Technology
Institute at the New America Foundation, and Reporters Without Borders.
151 http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A8-2015-0178+0+DOC+XML+V0//EN
152 http://www.sipri.org/news/EU-dual-use-review
153 http://trade.ec.europa.eu/consultations/index.cfm?consul_id=190
54/66
55/66
Conclusion
Surveillance technologies are not new. Wiretapping equipment and other electronic
technologies used to identify, track, and monitor individuals have been used widely
throughout the 20th century. State espionage and civilian monitoring was a common
feature throughout the Cold War, in both blocs. The spread of the internet and new
communications methods has however both increased the levels of intrusiveness of
surveillance, as well as its power. The ability to monitor entire groups and nations on
a mass scale poses new and substantially more grave human rights issues. Reforms
of surveillance laws undertaken as a direct result of Edward Snowdens disclosures
show how even within political systems with significant checks and balances,
surveillance capabilities have outstripped the ability of laws to effectively regulate
them.162 In non-democratic and authoritarian systems, the power of surveillance
technologies means that they can be used for human rights abuses and undermine
democratic development and privacy, a human right essential in allowing individuals
control, dignity, and the realisation of other human rights. Individuals have had their
communications read to them during torture,163 while opposition activists have had
their entire communications infiltrated and monitored.164 Intelligence agencies are
utilizing modern communications to carry out military attacks, and its now technically
possible for entire opposition movements and large sections of society to be
surveilled, systematically and relatively cheaply.165 166
Understanding the role that the private surveillance sector plays in surveillance
worldwide is crucial to developing comprehensive safeguards and effective policy.
A lack of reliable data makes this difficult however. How the industry functions, the
capabilities of the technology, where it is sold, and how it is used, is shrouded in
secrecy. Privacy International has collected data within the SII, while what is known
about where technologies are sold is only known because of investigative reporting
and government transparency because of export licensing restrictions. From the data
that is available, it appears clear that surveillance technologies are generally
produced and traded from economically advanced large arms exporting states in the
northern hemisphere. Exports to countries in the global south and authoritarian
countries overwhelmingly come from these states.
162 https://www.theguardian.com/technology/2015/jun/06/surveillance-privacy-snowden-usa-freedom-actcongress
163 http://www.bloomberg.com/news/articles/2011-08-22/torture-in-bahrain-becomes-routine-with-help-fromnokia-siemens-networking
164 http://apnews.excite.com/article/20150807/lt--ecuador-hacking_the_opposition-18a465a3dd.html
165 https://bahrainwatch.org/blog/2014/08/07/uk-spyware-used-to-hack-bahrain-lawyers-activists/
166 https://www.privacyinternational.org/node/816
56/66
The fact that the vast majority of surveillance companies and reported sales of
technologies come from companies in advanced economies also presents
opportunities in terms of regulatory mechanisms. Both sanctions and export licensing
restrictions have been used to block specific transfers of surveillance technologies
and provide data on their trade. Various states and the EU have pursued instruments
to ensure that human rights are appropriately considered within the trade in
surveillance technologies. The mechanisms used for this, sanctions and export
controls, are mechanisms rooted in the Cold War however, and pose significant
difficulties and potential for unintended consequences.
Nevertheless, from what is known about their use and trade, it is clear that safeguards
are a matter of urgency. A comprehensive approach should be pursued incorporating
export restrictions where possible as well as improved standards in corporate social
responsibility.167 While pro-active due diligence on the behalf of companies is a
necessary start, without instruments capable of restricting transfers and shining a light
on the companies and the trade, surveillance technologies developed in and traded
from the West will further undermine privacy and facilitate other abuses. This will not
only undermine the human rights of individuals in some of the most authoritarian
countries across the world in the name of security, it will also undermine
democratisation itself, leading to instability and, ultimately, international insecurity.
167
Bromely et al, ICT Surveillance Systems: Trade Policy and the Application of Human Security Concerns,
StrategicTrade Review, Spring 2016, <http://www.str.ulg.ac.be/wp-content/uploads/2016/03/StrategicTrade-Review-Issue-02.pdf>
57/66
Annex
Surveillance Technology Explainers
Description
Internet Monitoring
(Includes Deep Packet
Inspection & Fibre Taps /
Probes)
58/66
Phone Monitoring
(Includes Off the air
interception & Lawful
Interception
technologies)
59/66
60/66
Intrusion
61/66
Monitoring Centre
62/66
Location Monitoring
63/66
Technologies that monitor the location of a target, sometimes using their mobile
phone, others using GPS tracking devices placed on the person or their vehicle
Biometrics
64/66
Analysis
65/66
Technology that uses information gathered from sources such as social networks
to map out relationships between monitored users, recognise patterns within data,
analyse the meaning of words, etc.
Audio Surveillance
66/66
Video Surveillance
Equipment
67/66
Counter-Surveillance
68/66